New Duqu Version Discovered in Wild by Symantec

The discovery of new coding of the Stuxnet-related Trojan comes a day after Kaspersky researchers and others crack mystery code in Duqu.

The Duqu worm,
the close cousin to the Stuxnet worm that was first discovered in September
2011, is back in the wild with some new coding that Symantec security officials
say indicates the attackers behind the Trojan horse program are still at work.
That discovery
comes just as researchers from Kaspersky Lab and elsewhere said theyd finally
identified mysterious code in Duqu that Kaspersky had discovered only weeks
earlier. The Duqu worm reportedly had been in relative dormancy for the past
five months or so, but now appears to be active once again.

According to
researchers, Duqu appears to be closely related to Stuxnet, a Trojan apparently
designed specifically to attack Irans nuclear facilities and equipment. Many
believe that either the United States, Israel or both were behind the Stuxnet
worm, hoping to slow or cripple Irans controversial nuclear ambitions.

The Duqu
software appears to have been designed and created using the same tools as the
ones behind Stuxnet. However, there are some differences from Stuxnet. Where
Stuxnet was designed to attack Irans facilities with hopes of hobbling them or
shutting them down, Duqu appears to be aimed at stealing data, such as
authentication certificates.
The Trojan has
been found in a number of countries, including Iran, Sudan, France, Switzerland
and India. Thanks to researchers at both Symantec and Kaspersky, the command
and control servers were discovered and shut down in October 2011.
Researchers on
March 19 announced that they had finally cracked Duqus mystery code. Kaspersky
Lab researchers earlier this month asked for help in identifying particular
unknown code that controlled the Trojans command and control function.
Kaspersky got responses from researchers around the world, and a week later,
Kaspersky Lab said the mystery had been solved.
In a blog post
on the Kaspersky-run Threat Post site, blogger Paul
Roberts wrote that the language identifying the mystery language as C source
code compiled with Microsoft Visual Studio 2008 and special options for
optimizing code size and inline expansion. The code was also written with a
customized extension for combining object-oriented programming with C,
generally referred to as OO C.
A day later,
Symantec researchers announced that they had discovered a variant of the Duqu worm after
receiving a small component of the overall attack code. In a blog post March
20, the researchers said they had received a file that turned out to be the
loader file that loads the rest of the Duqu malware when the computer restarts.
The rest of the threat is stored encrypted on disk, the Symantec researchers
said.
The
researchers said the compile date on the Duqu component is Feb. 23, signifying
that the new version of the Trojan has not been out very long. In addition,
they said, the creators had changed some of the coding in Duqu to help it get
around some security product detections. A key change to the code was in the
encryption algorithm the creators used to encrypt the other components that are
on the disk, Symantec said.
Other changes
include the fact that while the old driver file was signed with a stolen
certificate, the new version wasnt.
Also the
version information is different in this new version compared to the previous
version we have seen, the researchers wrote. In this case, the Duqu file is
pretending to be a Microsoft Class driver.
The evidence
shows that Duqu isnt going away, they said.
Although we
do not have all of the information regarding this infection, the emergence of
this new file does show that the attackers are still active, the Symantec
researchers said. Without the other components of the attack, it is impossible
to say whether any new developments have been added to the code since we last
saw a release from the group in November 2011.